If the HTTP header 'X-Content-Type-Options' is set to 'nosniff,'

compliant browsers (Google Chrome, for example) will not attempt to

MIME-sniff a response content type different from its declared type.
The comment diff fragment currently returns an HTTP response with a

default type of 'text/html,' but it is clearly code intended to be run

as a script of type 'application/javascript.'
On latest Google Chrome stable, this results in an error and a failure

to render the comment diff box.
Set the content type of this response to 'application/javascript,' to 

reflect its true nature.

RB version: 2.0.17

Browser: Google Chrome 43.0.2357.124 (64-bit), Mac OS X.

Server: nginx 1.8.0, configured to serve the 'nosniff' header.
Manually inspected response headers before and after patch. The content type is 'text/html' before, and fails to render, instead showing the spinning logo forever. Chrome console reports and error:

Refused to execute script from 'https://test.mydomain.com/r/743/fragments/diff-comments/2246/?queue=diff_fragments&container_prefix=comment_container&1234556' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.


After this patch, the box renders correctly, and no error is encountered.